Date: Friday, April 11, 2014 @ 05:50:44
Author: thestinger
Revision: 109175
upgpkg: polipo 1.0.4.1-11
run as polipo:polipo, not nobody:nobody
Using the nobody user is insecure, because it makes the service vulnerable to
anything else running as the nobody user.
Modified:
polipo/trunk/PKGBUILD
polipo/trunk/polipo.install
polipo/trunk/polipo.service
+
PKGBUILD |6 +++---
polipo.install | 30 +-
polipo.service |2 +-
3 files changed, 33 insertions(+), 5 deletions(-)
Modified: PKGBUILD
===
--- PKGBUILD2014-04-11 03:34:30 UTC (rev 109174)
+++ PKGBUILD2014-04-11 03:50:44 UTC (rev 109175)
@@ -8,7 +8,7 @@
pkgname=polipo
pkgver=1.0.4.1
-pkgrel=10
+pkgrel=11
pkgdesc=A small and fast caching web proxy.
arch=('i686' 'x86_64')
url=http://www.pps.jussieu.fr/~jch/software/polipo/;
@@ -19,7 +19,7 @@
source=(http://freehaven.net/~chrisd/polipo/polipo-$pkgver.tar.gz;
polipo.service)
md5sums=('bfc5c85289519658280e093a270d6703'
- 'db95d3ac8e571dcb81c02fbb6600ba28')
+ 'bec010ab5e49e6bdb65a825f11333cfd')
build() {
cd $srcdir/$pkgname-$pkgver
@@ -45,7 +45,7 @@
# install systemd service
install -Dm 644 $srcdir/polipo.service
$pkgdir/usr/lib/systemd/system/polipo.service
- install -dm 700 $pkgdir/var/cache/polipo
+ install -dm 700 -o 185 -g 185 $pkgdir/var/cache/polipo
}
# vim:set ts=2 sw=2 et:
Modified: polipo.install
===
--- polipo.install 2014-04-11 03:34:30 UTC (rev 109174)
+++ polipo.install 2014-04-11 03:50:44 UTC (rev 109175)
@@ -1,15 +1,37 @@
infodir=/usr/share/info
filelist=(polipo.info)
+create_polipo_user() {
+ getent group polipo /dev/null || groupadd -g 185 polipo /dev/null
+ getent passwd polipo /dev/null || useradd -u 185 -g polipo \
+ -d /var/cache/polipo \
+ -c 'Caching web proxy' \
+ -s /bin/nologin polipo /dev/null
+}
+
post_install() {
[ -x usr/bin/install-info ] || return 0
for file in ${filelist[@]}; do
install-info $infodir/$file $infodir/dir 2 /dev/null
done
- chown -R nobody:nobody /var/cache/polipo 2 /dev/null
+ create_polipo_user
}
post_upgrade() {
+ if [[ $(vercmp $2 1.0.4.1-11) -le 0 ]]; then
+echo Stopping polipo service in order to modify the user/group.
+systemctl stop polipo
+
+# in case the user/group were already created as recommended by the wiki
+userdel polipo /dev/null
+groupdel polipo /dev/null
+
+create_polipo_user
+chown -R 185:185 /var/cache/polipo
+
+echo You may now restart the polipo service.
+ fi
+
post_install $1
}
@@ -20,4 +42,10 @@
done
}
+post_remove() {
+ getent passwd polipo /dev/null userdel polipo /dev/null
+ getent group polipo /dev/null groupdel polipo /dev/null
+ true
+}
+
# vim:set ts=2 sw=2 et:
Modified: polipo.service
===
--- polipo.service 2014-04-11 03:34:30 UTC (rev 109174)
+++ polipo.service 2014-04-11 03:50:44 UTC (rev 109175)
@@ -4,7 +4,7 @@
[Service]
ExecStart=/usr/bin/polipo
-User=nobody
+User=polipo
[Install]
WantedBy=multi-user.target